Sample viewer

vx.netlux.org/Virus.DOS.KOV.Eddy.1420

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-17T22:48:32.604674567Z 42 PC: 29130 | Get date 0x29130: cmp cx, 0x7cc
0x29134: jne 0x29140
0x29136: cmp dh, 8
0x29139: ja 0x29140
0x2913b: cmp dl, 0x14
0x2913e: jb 0x29189
0x29140: mov al, 0xff
0x29142: mov ah, 0xf
0x29144: xchg al, ah
0x29146: nop
0x29147: int 0x21
0x29149: cmp ax, 0x101
0x2914c: jne 0x29152
0x2914e: call 0x2918d
0x29151: nop
0x29152: mov ax, 0x3521
0x29155: nop
0x29156: int 0x21
0x29158: cmp word ptr es:[0xa], 0x4254
0x2915f: jne 0x2916d
2018-12-17T22:48:32.608874757Z 255 PC: 29149 | UNKNOWN!
2018-12-17T22:48:32.610158345Z 53 PC: 29158 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-17T22:48:32.611959265Z 240 PC: 29187 | UNKNOWN!
2018-12-17T22:48:32.617167223Z 44 PC: 29085 | Get time 0x29085: cmp cl, 1
0x29088: jne 0x290bf
0x2908a: mov ax, 0xb800
0x2908d: mov es, ax
0x2908f: mov cx, 0x30
0x29092: push cx
0x29093: mov cx, 0x7c0
0x29096: xor si, si
0x29098: mov ah, byte ptr es:[si]
0x2909b: cmp ah, 0x77
0x2909e: jb 0x290ad
0x290a0: dec ah
0x290a2: mov byte ptr es:[si], ah
0x290a5: mov byte ptr es:[si + 1], 0x79
0x290aa: jmp 0x290b7
0x290ac: nop
0x290ad: inc ah
0x290af: mov byte ptr es:[si], ah
0x290b2: mov byte ptr es:[si + 1], 0x8f
0x290b7: inc si
2018-12-17T22:48:32.650482993Z 48 PC: 2df14 | Get DOS version
2018-12-17T22:48:32.652043306Z 74 PC: 2df8b | Reallocate memory
2018-12-17T22:48:32.655311477Z 72 PC: 2f4b7 | Allocate memory
2018-12-17T22:48:32.65810197Z 74 PC: 2f467 | Reallocate memory
2018-12-17T22:48:32.660328903Z 48 PC: 2e214 | Get DOS version
2018-12-17T22:48:32.662695477Z 53 PC: 2e015 | Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:48:32.664492176Z 37 PC: 2e027 | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-17T22:48:32.667252091Z 68 PC: 2e0b3 | I/O control for devices (Set for = '�׹��2����E�$� �!�E�')
2018-12-17T22:48:32.670281947Z 68 PC: 2e0b3 | I/O control for devices (Set for = '�')
2018-12-17T22:48:32.671867223Z 68 PC: 2e0b3 | I/O control for devices (Set for = '')
2018-12-17T22:48:32.673399928Z 68 PC: 2e0b3 | I/O control for devices (Set for = '')
2018-12-17T22:48:32.676021469Z 68 PC: 2e0b3 | I/O control for devices (Set for = '')
2018-12-17T22:48:32.678337798Z 48 PC: 2db9b | Get DOS version
2018-12-17T22:48:32.68011386Z 37 PC: 137c9 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-17T22:48:32.682283148Z 37 PC: 137d6 | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-17T22:48:32.683808068Z 25 PC: 14c8a | Get default drive
2018-12-17T22:48:32.685249724Z 25 PC: 2fd76 | Get default drive
2018-12-17T22:48:32.687301743Z 71 PC: 2f92b | Get current directory
2018-12-17T22:48:32.708178544Z 64 PC: 2f180 | Write file or device (Write 132 bytes on handle 1)
2018-12-17T22:48:32.715045693Z 64 PC: 2f180 | Write file or device (Write 2 bytes on handle 1)
2018-12-17T22:48:32.720497766Z 64 PC: 2f180 | Write file or device (Write 2 bytes on handle 1)
2018-12-17T22:48:32.724239874Z 42 PC: 13c53 | Get date 0x13c53: cmp cx, 0x7cd
0x13c57: ja 0x13c6c
0x13c59: jb 0x13c67
0x13c5b: cmp dh, 4
0x13c5e: ja 0x13c6c
0x13c60: jb 0x13c67
0x13c62: cmp dl, 0xf
0x13c65: ja 0x13c6c
0x13c67: mov word ptr [bp - 4], 1
0x13c6c: cmp word ptr [bp - 4], 0
0x13c70: jne 0x13c9f
0x13c72: push 3
0x13c74: lcall 0x14a6:0x123
0x13c79: push 1
0x13c7b: lcall 0x14a6:0x123
0x13c80: push 0
0x13c82: lcall 0x13e4:0x9da
0x13c87: or ax, ax
0x13c89: jne 0x13c98
0x13c8b: push 2
2018-12-17T22:48:32.728268368Z 64 PC: 2f180 | Write file or device (Write 85 bytes on handle 1)
2018-12-17T22:48:32.737941731Z 64 PC: 2f1e6 | Write file or device (Write 24 bytes on handle 1)
2018-12-17T22:48:32.741403384Z 12 PC: 14811 | Flush input buffer and input

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":9584,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:23:22.770472785Z 42 PC: 29130 | Get date 0x29130: cmp cx, 0x7cc
0x29134: jne 0x29140
0x29136: cmp dh, 8
0x29139: ja 0x29140
0x2913b: cmp dl, 0x14
0x2913e: jb 0x29189
0x29140: mov al, 0xff
0x29142: mov ah, 0xf
0x29144: xchg al, ah
0x29146: nop
0x29147: int 0x21
0x29149: cmp ax, 0x101
0x2914c: jne 0x29152
0x2914e: call 0x2918d
0x29151: nop
0x29152: mov ax, 0x3521
0x29155: nop
0x29156: int 0x21
0x29158: cmp word ptr es:[0xa], 0x4254
0x2915f: jne 0x2916d
2018-12-25T12:23:22.773575737Z 255 PC: 29149 | UNKNOWN!
2018-12-25T12:23:22.775876919Z 53 PC: 29158 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:23:22.77800481Z 240 PC: 29187 | UNKNOWN!
2018-12-25T12:23:22.779160851Z 44 PC: 29085 | Get time 0x29085: cmp cl, 1
0x29088: jne 0x290bf
0x2908a: mov ax, 0xb800
0x2908d: mov es, ax
0x2908f: mov cx, 0x30
0x29092: push cx
0x29093: mov cx, 0x7c0
0x29096: xor si, si
0x29098: mov ah, byte ptr es:[si]
0x2909b: cmp ah, 0x77
0x2909e: jb 0x290ad
0x290a0: dec ah
0x290a2: mov byte ptr es:[si], ah
0x290a5: mov byte ptr es:[si + 1], 0x79
0x290aa: jmp 0x290b7
0x290ac: nop
0x290ad: inc ah
0x290af: mov byte ptr es:[si], ah
0x290b2: mov byte ptr es:[si + 1], 0x8f
0x290b7: inc si
2018-12-25T12:23:22.799397037Z 48 PC: 2df14 | Get DOS version
2018-12-25T12:23:22.801254112Z 74 PC: 2df8b | Reallocate memory
2018-12-25T12:23:22.803010157Z 72 PC: 2f4b7 | Allocate memory
2018-12-25T12:23:22.804793559Z 74 PC: 2f467 | Reallocate memory
2018-12-25T12:23:22.806563449Z 48 PC: 2e214 | Get DOS version
2018-12-25T12:23:22.811907323Z 53 PC: 2e015 | Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-25T12:23:22.815194133Z 37 PC: 2e027 | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-25T12:23:22.817578756Z 68 PC: 2e0b3 | I/O control for devices (Set for = '�׹��2����E�$� �!�E�')
2018-12-25T12:23:22.82004989Z 68 PC: 2e0b3 | I/O control for devices (See above)
2018-12-25T12:23:22.821887507Z 68 PC: 2e0b3 | I/O control for devices (See above)
2018-12-25T12:23:22.826761409Z 68 PC: 2e0b3 | I/O control for devices (See above)
2018-12-25T12:23:22.829507118Z 68 PC: 2e0b3 | I/O control for devices (See above)
2018-12-25T12:23:22.830708929Z 48 PC: 2db9b | Get DOS version
2018-12-25T12:23:22.831681519Z 37 PC: 137c9 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:23:22.833280042Z 37 PC: 137d6 | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-25T12:23:22.834460949Z 25 PC: 14c8a | Get default drive
2018-12-25T12:23:22.835438246Z 25 PC: 2fd76 | Get default drive
2018-12-25T12:23:22.836691914Z 71 PC: 2f92b | Get current directory
2018-12-25T12:23:22.850735671Z 64 PC: 2f180 | Write file or device (Write 132 bytes on handle 1)
2018-12-25T12:23:22.858583214Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:22.862893985Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:22.866088485Z 42 PC: 13c53 | Get date 0x13c53: cmp cx, 0x7cd
0x13c57: ja 0x13c6c
0x13c59: jb 0x13c67
0x13c5b: cmp dh, 4
0x13c5e: ja 0x13c6c
0x13c60: jb 0x13c67
0x13c62: cmp dl, 0xf
0x13c65: ja 0x13c6c
0x13c67: mov word ptr [bp - 4], 1
0x13c6c: cmp word ptr [bp - 4], 0
0x13c70: jne 0x13c9f
0x13c72: push 3
0x13c74: lcall 0x14a6:0x123
0x13c79: push 1
0x13c7b: lcall 0x14a6:0x123
0x13c80: push 0
0x13c82: lcall 0x13e4:0x9da
0x13c87: or ax, ax
0x13c89: jne 0x13c98
0x13c8b: push 2
2018-12-25T12:23:22.868630332Z 64 PC: 2f1e6 | Write file or device (Write 22 bytes on handle 1)
2018-12-25T12:23:22.884793068Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:22.889515529Z 64 PC: 2f1e6 | Write file or device (See above)
2018-12-25T12:23:22.894904844Z 48 PC: 2db9b | Get DOS version (See above)
2018-12-25T12:23:22.896674834Z 82 PC: 151ab | Get DOS internal pointers (SYSVARS)
2018-12-25T12:23:22.898968216Z 82 PC: 150a5 | Get DOS internal pointers (SYSVARS)
2018-12-25T12:23:22.90036872Z 88 PC: 15078 | case 0xGet or set allocation strateg:
2018-12-25T12:23:22.902056494Z 88 PC: 15094 | case 0xGet or set allocation strateg:
2018-12-25T12:23:22.906670474Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:22.913193883Z 64 PC: 2f1e6 | Write file or device (See above)
2018-12-25T12:23:22.91971753Z 61 PC: 2ee31 | Open file (Filename = 'A:\TEST.EXE')
2018-12-25T12:23:22.927447001Z 68 PC: 2ee63 | I/O control for devices (Set for = 'A:\TEST.EXE')
2018-12-25T12:23:22.930106062Z 67 PC: 2ef63 | Get or set file attributes
2018-12-25T12:23:22.94289629Z 66 PC: 2edd8 | Move file pointer
2018-12-25T12:23:22.944583497Z 63 PC: 2efe8 | Read file or device (Read 512 bytes on handle 5)
2018-12-25T12:23:22.952254127Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:22.954505774Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:22.962646985Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:22.967315276Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:22.972520679Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:22.983622704Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:22.985385163Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:22.997034256Z 62 PC: 2ed5e | Close file
2018-12-25T12:23:22.999596015Z 61 PC: 2ee31 | Open file (See above)
2018-12-25T12:23:23.006863536Z 68 PC: 2ee63 | I/O control for devices (See above)
2018-12-25T12:23:23.009331886Z 67 PC: 2ef63 | Get or set file attributes (See above)
2018-12-25T12:23:23.016156756Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.017921909Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.020651691Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.023641481Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.025536177Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.028317692Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.036393866Z 62 PC: 2ed5e | Close file (See above)
2018-12-25T12:23:23.040072952Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:23.04697116Z 14 PC: 2ff51 | Set default drive (Drive = 'A')
2018-12-25T12:23:23.049359134Z 59 PC: 14c44 | Change current directory
2018-12-25T12:23:23.054309369Z 37 PC: 2e16f | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-25T12:23:23.056197462Z 76 PC: 2e154 | Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":0,"Second":0,"TimeBased":true,"OriginalID":9584,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:23:22.908664222Z 42 PC: 29130 | Get date 0x29130: cmp cx, 0x7cc
0x29134: jne 0x29140
0x29136: cmp dh, 8
0x29139: ja 0x29140
0x2913b: cmp dl, 0x14
0x2913e: jb 0x29189
0x29140: mov al, 0xff
0x29142: mov ah, 0xf
0x29144: xchg al, ah
0x29146: nop
0x29147: int 0x21
0x29149: cmp ax, 0x101
0x2914c: jne 0x29152
0x2914e: call 0x2918d
0x29151: nop
0x29152: mov ax, 0x3521
0x29155: nop
0x29156: int 0x21
0x29158: cmp word ptr es:[0xa], 0x4254
0x2915f: jne 0x2916d
2018-12-25T12:23:22.910990249Z 255 PC: 29149 | UNKNOWN!
2018-12-25T12:23:22.912135267Z 53 PC: 29158 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:23:22.914080955Z 240 PC: 29187 | UNKNOWN!
2018-12-25T12:23:22.915427298Z 44 PC: 29085 | Get time 0x29085: cmp cl, 1
0x29088: jne 0x290bf
0x2908a: mov ax, 0xb800
0x2908d: mov es, ax
0x2908f: mov cx, 0x30
0x29092: push cx
0x29093: mov cx, 0x7c0
0x29096: xor si, si
0x29098: mov ah, byte ptr es:[si]
0x2909b: cmp ah, 0x77
0x2909e: jb 0x290ad
0x290a0: dec ah
0x290a2: mov byte ptr es:[si], ah
0x290a5: mov byte ptr es:[si + 1], 0x79
0x290aa: jmp 0x290b7
0x290ac: nop
0x290ad: inc ah
0x290af: mov byte ptr es:[si], ah
0x290b2: mov byte ptr es:[si + 1], 0x8f
0x290b7: inc si
2018-12-25T12:23:22.948838985Z 48 PC: 2df14 | Get DOS version
2018-12-25T12:23:22.950312999Z 74 PC: 2df8b | Reallocate memory
2018-12-25T12:23:22.953043101Z 72 PC: 2f4b7 | Allocate memory
2018-12-25T12:23:22.955391324Z 74 PC: 2f467 | Reallocate memory
2018-12-25T12:23:22.957301274Z 48 PC: 2e214 | Get DOS version
2018-12-25T12:23:22.959076996Z 53 PC: 2e015 | Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-25T12:23:22.960366996Z 37 PC: 2e027 | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-25T12:23:22.961736633Z 68 PC: 2e0b3 | I/O control for devices (Set for = '�׹��2����E�$� �!�E�')
2018-12-25T12:23:22.96441307Z 68 PC: 2e0b3 | I/O control for devices (See above)
2018-12-25T12:23:22.965989222Z 68 PC: 2e0b3 | I/O control for devices (See above)
2018-12-25T12:23:22.967472483Z 68 PC: 2e0b3 | I/O control for devices (See above)
2018-12-25T12:23:22.96944521Z 68 PC: 2e0b3 | I/O control for devices (See above)
2018-12-25T12:23:22.971063701Z 48 PC: 2db9b | Get DOS version
2018-12-25T12:23:22.972755422Z 37 PC: 137c9 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:23:22.974578706Z 37 PC: 137d6 | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-25T12:23:22.977362971Z 25 PC: 14c8a | Get default drive
2018-12-25T12:23:22.978555388Z 25 PC: 2fd76 | Get default drive
2018-12-25T12:23:22.980485578Z 71 PC: 2f92b | Get current directory
2018-12-25T12:23:23.00082658Z 64 PC: 2f180 | Write file or device (Write 132 bytes on handle 1)
2018-12-25T12:23:23.007181981Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:23.011165312Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:23.01327487Z 42 PC: 13c53 | Get date 0x13c53: cmp cx, 0x7cd
0x13c57: ja 0x13c6c
0x13c59: jb 0x13c67
0x13c5b: cmp dh, 4
0x13c5e: ja 0x13c6c
0x13c60: jb 0x13c67
0x13c62: cmp dl, 0xf
0x13c65: ja 0x13c6c
0x13c67: mov word ptr [bp - 4], 1
0x13c6c: cmp word ptr [bp - 4], 0
0x13c70: jne 0x13c9f
0x13c72: push 3
0x13c74: lcall 0x14a6:0x123
0x13c79: push 1
0x13c7b: lcall 0x14a6:0x123
0x13c80: push 0
0x13c82: lcall 0x13e4:0x9da
0x13c87: or ax, ax
0x13c89: jne 0x13c98
0x13c8b: push 2
2018-12-25T12:23:23.016132443Z 64 PC: 2f1e6 | Write file or device (Write 22 bytes on handle 1)
2018-12-25T12:23:23.024339272Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:23.035676749Z 64 PC: 2f1e6 | Write file or device (See above)
2018-12-25T12:23:23.046257856Z 48 PC: 2db9b | Get DOS version (See above)
2018-12-25T12:23:23.047910944Z 82 PC: 151ab | Get DOS internal pointers (SYSVARS)
2018-12-25T12:23:23.049661854Z 82 PC: 150a5 | Get DOS internal pointers (SYSVARS)
2018-12-25T12:23:23.050862799Z 88 PC: 15078 | case 0xGet or set allocation strateg:
2018-12-25T12:23:23.052676465Z 88 PC: 15094 | case 0xGet or set allocation strateg:
2018-12-25T12:23:23.0553484Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:23.059658566Z 64 PC: 2f1e6 | Write file or device (See above)
2018-12-25T12:23:23.063421622Z 61 PC: 2ee31 | Open file (Filename = 'A:\TEST.EXE')
2018-12-25T12:23:23.071065716Z 68 PC: 2ee63 | I/O control for devices (Set for = 'A:\TEST.EXE')
2018-12-25T12:23:23.072737313Z 67 PC: 2ef63 | Get or set file attributes
2018-12-25T12:23:23.079913846Z 66 PC: 2edd8 | Move file pointer
2018-12-25T12:23:23.096630094Z 63 PC: 2efe8 | Read file or device (Read 512 bytes on handle 5)
2018-12-25T12:23:23.105577907Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.108350227Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.116251226Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.119590685Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.121953636Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.132847047Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.135020928Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.146663817Z 62 PC: 2ed5e | Close file
2018-12-25T12:23:23.149228573Z 61 PC: 2ee31 | Open file (See above)
2018-12-25T12:23:23.156814021Z 68 PC: 2ee63 | I/O control for devices (See above)
2018-12-25T12:23:23.159300137Z 67 PC: 2ef63 | Get or set file attributes (See above)
2018-12-25T12:23:23.165802184Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.167803104Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.170191913Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.17318911Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.175030443Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.193451676Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.201160357Z 62 PC: 2ed5e | Close file (See above)
2018-12-25T12:23:23.205029466Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:23.212878957Z 14 PC: 2ff51 | Set default drive (Drive = 'A')
2018-12-25T12:23:23.215187608Z 59 PC: 14c44 | Change current directory
2018-12-25T12:23:23.220391976Z 37 PC: 2e16f | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-25T12:23:23.222536848Z 76 PC: 2e154 | Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":1,"Second":0,"TimeBased":true,"OriginalID":9584,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:23:23.609296481Z 42 PC: 29130 | Get date 0x29130: cmp cx, 0x7cc
0x29134: jne 0x29140
0x29136: cmp dh, 8
0x29139: ja 0x29140
0x2913b: cmp dl, 0x14
0x2913e: jb 0x29189
0x29140: mov al, 0xff
0x29142: mov ah, 0xf
0x29144: xchg al, ah
0x29146: nop
0x29147: int 0x21
0x29149: cmp ax, 0x101
0x2914c: jne 0x29152
0x2914e: call 0x2918d
0x29151: nop
0x29152: mov ax, 0x3521
0x29155: nop
0x29156: int 0x21
0x29158: cmp word ptr es:[0xa], 0x4254
0x2915f: jne 0x2916d
2018-12-25T12:23:23.610829021Z 255 PC: 29149 | UNKNOWN!
2018-12-25T12:23:23.611374026Z 53 PC: 29158 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:23:23.612890592Z 240 PC: 29187 | UNKNOWN!
2018-12-25T12:23:23.613734572Z 44 PC: 29085 | Get time 0x29085: cmp cl, 1
0x29088: jne 0x290bf
0x2908a: mov ax, 0xb800
0x2908d: mov es, ax
0x2908f: mov cx, 0x30
0x29092: push cx
0x29093: mov cx, 0x7c0
0x29096: xor si, si
0x29098: mov ah, byte ptr es:[si]
0x2909b: cmp ah, 0x77
0x2909e: jb 0x290ad
0x290a0: dec ah
0x290a2: mov byte ptr es:[si], ah
0x290a5: mov byte ptr es:[si + 1], 0x79
0x290aa: jmp 0x290b7
0x290ac: nop
0x290ad: inc ah
0x290af: mov byte ptr es:[si], ah
0x290b2: mov byte ptr es:[si + 1], 0x8f
0x290b7: inc si
2018-12-25T12:23:23.656597548Z 48 PC: 2df14 | Get DOS version
2018-12-25T12:23:23.658152265Z 74 PC: 2df8b | Reallocate memory
2018-12-25T12:23:23.65933021Z 72 PC: 2f4b7 | Allocate memory
2018-12-25T12:23:23.661100248Z 74 PC: 2f467 | Reallocate memory
2018-12-25T12:23:23.663109656Z 48 PC: 2e214 | Get DOS version
2018-12-25T12:23:23.664169362Z 53 PC: 2e015 | Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-25T12:23:23.665188028Z 37 PC: 2e027 | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-25T12:23:23.666539604Z 68 PC: 2e0b3 | I/O control for devices (Set for = '�׹��2����E�$� �!�E�')
2018-12-25T12:23:23.667595628Z 68 PC: 2e0b3 | I/O control for devices (See above)
2018-12-25T12:23:23.668563389Z 68 PC: 2e0b3 | I/O control for devices (See above)
2018-12-25T12:23:23.670147972Z 68 PC: 2e0b3 | I/O control for devices (See above)
2018-12-25T12:23:23.671122088Z 68 PC: 2e0b3 | I/O control for devices (See above)
2018-12-25T12:23:23.672269184Z 48 PC: 2db9b | Get DOS version
2018-12-25T12:23:23.673591244Z 37 PC: 137c9 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:23:23.674567298Z 37 PC: 137d6 | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-25T12:23:23.675576145Z 25 PC: 14c8a | Get default drive
2018-12-25T12:23:23.676929496Z 25 PC: 2fd76 | Get default drive
2018-12-25T12:23:23.678067612Z 71 PC: 2f92b | Get current directory
2018-12-25T12:23:23.688798259Z 64 PC: 2f180 | Write file or device (Write 132 bytes on handle 1)
2018-12-25T12:23:23.69460308Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:23.698598929Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:23.702896651Z 42 PC: 13c53 | Get date 0x13c53: cmp cx, 0x7cd
0x13c57: ja 0x13c6c
0x13c59: jb 0x13c67
0x13c5b: cmp dh, 4
0x13c5e: ja 0x13c6c
0x13c60: jb 0x13c67
0x13c62: cmp dl, 0xf
0x13c65: ja 0x13c6c
0x13c67: mov word ptr [bp - 4], 1
0x13c6c: cmp word ptr [bp - 4], 0
0x13c70: jne 0x13c9f
0x13c72: push 3
0x13c74: lcall 0x14a6:0x123
0x13c79: push 1
0x13c7b: lcall 0x14a6:0x123
0x13c80: push 0
0x13c82: lcall 0x13e4:0x9da
0x13c87: or ax, ax
0x13c89: jne 0x13c98
0x13c8b: push 2
2018-12-25T12:23:23.70710814Z 64 PC: 2f1e6 | Write file or device (Write 22 bytes on handle 1)
2018-12-25T12:23:23.710883095Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:23.714934649Z 64 PC: 2f1e6 | Write file or device (See above)
2018-12-25T12:23:23.720930517Z 48 PC: 2db9b | Get DOS version (See above)
2018-12-25T12:23:23.722030232Z 82 PC: 151ab | Get DOS internal pointers (SYSVARS)
2018-12-25T12:23:23.723986118Z 82 PC: 150a5 | Get DOS internal pointers (SYSVARS)
2018-12-25T12:23:23.725375152Z 88 PC: 15078 | case 0xGet or set allocation strateg:
2018-12-25T12:23:23.726499424Z 88 PC: 15094 | case 0xGet or set allocation strateg:
2018-12-25T12:23:23.72993323Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:23.735309288Z 64 PC: 2f1e6 | Write file or device (See above)
2018-12-25T12:23:23.738107131Z 61 PC: 2ee31 | Open file (Filename = 'A:\TEST.EXE')
2018-12-25T12:23:23.74213385Z 68 PC: 2ee63 | I/O control for devices (Set for = 'A:\TEST.EXE')
2018-12-25T12:23:23.743758948Z 67 PC: 2ef63 | Get or set file attributes
2018-12-25T12:23:23.747442681Z 66 PC: 2edd8 | Move file pointer
2018-12-25T12:23:23.750563842Z 63 PC: 2efe8 | Read file or device (Read 512 bytes on handle 5)
2018-12-25T12:23:23.756291104Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.757445992Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.761799722Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.764350952Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.765493826Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.771585887Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.773173979Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.779955251Z 62 PC: 2ed5e | Close file
2018-12-25T12:23:23.783248804Z 61 PC: 2ee31 | Open file (See above)
2018-12-25T12:23:23.790993622Z 68 PC: 2ee63 | I/O control for devices (See above)
2018-12-25T12:23:23.792810253Z 67 PC: 2ef63 | Get or set file attributes (See above)
2018-12-25T12:23:23.798885031Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.801707023Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.803525358Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.806532579Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.809340468Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.810798993Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.815369693Z 62 PC: 2ed5e | Close file (See above)
2018-12-25T12:23:23.819489175Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:23.825213697Z 14 PC: 2ff51 | Set default drive (Drive = 'A')
2018-12-25T12:23:23.826874799Z 59 PC: 14c44 | Change current directory
2018-12-25T12:23:23.832450235Z 37 PC: 2e16f | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-25T12:23:23.833893269Z 76 PC: 2e154 | Terminate with return code (Return code = '1')

{"DateBased":true,"Day":1,"Month":1,"Year":1980,"Hour":0,"Min":1,"Second":0,"TimeBased":true,"OriginalID":9584,"SideJobID":0}

.

GIF

Syscalls:

Time Syscall Op Syscall Name
2018-12-25T12:23:23.415751415Z 42 PC: 29130 | Get date 0x29130: cmp cx, 0x7cc
0x29134: jne 0x29140
0x29136: cmp dh, 8
0x29139: ja 0x29140
0x2913b: cmp dl, 0x14
0x2913e: jb 0x29189
0x29140: mov al, 0xff
0x29142: mov ah, 0xf
0x29144: xchg al, ah
0x29146: nop
0x29147: int 0x21
0x29149: cmp ax, 0x101
0x2914c: jne 0x29152
0x2914e: call 0x2918d
0x29151: nop
0x29152: mov ax, 0x3521
0x29155: nop
0x29156: int 0x21
0x29158: cmp word ptr es:[0xa], 0x4254
0x2915f: jne 0x2916d
2018-12-25T12:23:23.419051081Z 255 PC: 29149 | UNKNOWN!
2018-12-25T12:23:23.42044469Z 53 PC: 29158 | Get interrupt vector (Interrupt = '33' AKA 'Random read')
2018-12-25T12:23:23.422458839Z 240 PC: 29187 | UNKNOWN!
2018-12-25T12:23:23.424428115Z 44 PC: 29085 | Get time 0x29085: cmp cl, 1
0x29088: jne 0x290bf
0x2908a: mov ax, 0xb800
0x2908d: mov es, ax
0x2908f: mov cx, 0x30
0x29092: push cx
0x29093: mov cx, 0x7c0
0x29096: xor si, si
0x29098: mov ah, byte ptr es:[si]
0x2909b: cmp ah, 0x77
0x2909e: jb 0x290ad
0x290a0: dec ah
0x290a2: mov byte ptr es:[si], ah
0x290a5: mov byte ptr es:[si + 1], 0x79
0x290aa: jmp 0x290b7
0x290ac: nop
0x290ad: inc ah
0x290af: mov byte ptr es:[si], ah
0x290b2: mov byte ptr es:[si + 1], 0x8f
0x290b7: inc si
2018-12-25T12:23:23.537530189Z 48 PC: 2df14 | Get DOS version
2018-12-25T12:23:23.539839133Z 74 PC: 2df8b | Reallocate memory
2018-12-25T12:23:23.542109318Z 72 PC: 2f4b7 | Allocate memory
2018-12-25T12:23:23.545044926Z 74 PC: 2f467 | Reallocate memory
2018-12-25T12:23:23.54788311Z 48 PC: 2e214 | Get DOS version
2018-12-25T12:23:23.550532217Z 53 PC: 2e015 | Get interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-25T12:23:23.552309636Z 37 PC: 2e027 | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-25T12:23:23.553960078Z 68 PC: 2e0b3 | I/O control for devices (Set for = '�׹��2����E�$� �!�E�')
2018-12-25T12:23:23.56750393Z 68 PC: 2e0b3 | I/O control for devices (See above)
2018-12-25T12:23:23.569824155Z 68 PC: 2e0b3 | I/O control for devices (See above)
2018-12-25T12:23:23.571598495Z 68 PC: 2e0b3 | I/O control for devices (See above)
2018-12-25T12:23:23.577296515Z 68 PC: 2e0b3 | I/O control for devices (See above)
2018-12-25T12:23:23.581180727Z 48 PC: 2db9b | Get DOS version
2018-12-25T12:23:23.583303279Z 37 PC: 137c9 | Set interrupt vector (Interrupt = '36' AKA 'Set random record number')
2018-12-25T12:23:23.586111402Z 37 PC: 137d6 | Set interrupt vector (Interrupt = '35' AKA 'Get file size in records')
2018-12-25T12:23:23.58768315Z 25 PC: 14c8a | Get default drive
2018-12-25T12:23:23.589271806Z 25 PC: 2fd76 | Get default drive
2018-12-25T12:23:23.591598323Z 71 PC: 2f92b | Get current directory
2018-12-25T12:23:23.612932906Z 64 PC: 2f180 | Write file or device (Write 132 bytes on handle 1)
2018-12-25T12:23:23.619715342Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:23.625874996Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:23.629501563Z 42 PC: 13c53 | Get date 0x13c53: cmp cx, 0x7cd
0x13c57: ja 0x13c6c
0x13c59: jb 0x13c67
0x13c5b: cmp dh, 4
0x13c5e: ja 0x13c6c
0x13c60: jb 0x13c67
0x13c62: cmp dl, 0xf
0x13c65: ja 0x13c6c
0x13c67: mov word ptr [bp - 4], 1
0x13c6c: cmp word ptr [bp - 4], 0
0x13c70: jne 0x13c9f
0x13c72: push 3
0x13c74: lcall 0x14a6:0x123
0x13c79: push 1
0x13c7b: lcall 0x14a6:0x123
0x13c80: push 0
0x13c82: lcall 0x13e4:0x9da
0x13c87: or ax, ax
0x13c89: jne 0x13c98
0x13c8b: push 2
2018-12-25T12:23:23.63508451Z 64 PC: 2f1e6 | Write file or device (Write 22 bytes on handle 1)
2018-12-25T12:23:23.647120709Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:23.652263938Z 64 PC: 2f1e6 | Write file or device (See above)
2018-12-25T12:23:23.658010382Z 48 PC: 2db9b | Get DOS version (See above)
2018-12-25T12:23:23.660484382Z 82 PC: 151ab | Get DOS internal pointers (SYSVARS)
2018-12-25T12:23:23.663539581Z 82 PC: 150a5 | Get DOS internal pointers (SYSVARS)
2018-12-25T12:23:23.665247155Z 88 PC: 15078 | case 0xGet or set allocation strateg:
2018-12-25T12:23:23.667785289Z 88 PC: 15094 | case 0xGet or set allocation strateg:
2018-12-25T12:23:23.672678584Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:23.679450138Z 64 PC: 2f1e6 | Write file or device (See above)
2018-12-25T12:23:23.68565727Z 61 PC: 2ee31 | Open file (Filename = 'A:\TEST.EXE')
2018-12-25T12:23:23.693555262Z 68 PC: 2ee63 | I/O control for devices (Set for = 'A:\TEST.EXE')
2018-12-25T12:23:23.695727078Z 67 PC: 2ef63 | Get or set file attributes
2018-12-25T12:23:23.703726755Z 66 PC: 2edd8 | Move file pointer
2018-12-25T12:23:23.708936421Z 63 PC: 2efe8 | Read file or device (Read 512 bytes on handle 5)
2018-12-25T12:23:23.717618843Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.720076746Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.728583861Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.732310746Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.734717293Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.747010714Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.74926136Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.760350962Z 62 PC: 2ed5e | Close file
2018-12-25T12:23:23.764334907Z 61 PC: 2ee31 | Open file (See above)
2018-12-25T12:23:23.772266291Z 68 PC: 2ee63 | I/O control for devices (See above)
2018-12-25T12:23:23.774471812Z 67 PC: 2ef63 | Get or set file attributes (See above)
2018-12-25T12:23:23.782528106Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.78562216Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.78780573Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.792259135Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.794532058Z 66 PC: 2edd8 | Move file pointer (See above)
2018-12-25T12:23:23.796710064Z 63 PC: 2efe8 | Read file or device (See above)
2018-12-25T12:23:23.805752161Z 62 PC: 2ed5e | Close file (See above)
2018-12-25T12:23:23.810199293Z 64 PC: 2f180 | Write file or device (See above)
2018-12-25T12:23:23.817039106Z 14 PC: 2ff51 | Set default drive (Drive = 'A')
2018-12-25T12:23:23.819619453Z 59 PC: 14c44 | Change current directory
2018-12-25T12:23:23.824958926Z 37 PC: 2e16f | Set interrupt vector (Interrupt = '0' AKA 'Program terminate')
2018-12-25T12:23:23.826632292Z 76 PC: 2e154 | Terminate with return code (Return code = '1')